Frank shows you how to
update the encryption key
used by an RDS instance


I want to update the encryption key used by my RDS instance to a new encryption key. How do I do that?

Although you can't change the encryption key used by an RDS instance, you can create a copy of the instance and choose a new encryption key for the copy.

To create a copy of a DB instance with a new encryption key, perform the following steps:

  1. Create a manual snapshot of your existing instance.
    Note: If you have a recent manual snapshot of your instance, you can skip this step.
  2. From the Snapshots pane of the RDS console, select your snapshot and choose Copy Snapshot.
    For Enable Encryption, choose Yes.
    For Master Key, choose the new encryption key you want to use.
    Note: If you prefer, you can copy the snapshot using the AWS CLI or RDS API instead.
  3. Restore the copied snapshot.

The new DB instance will use your preferred encryption key. If you no longer need the old DB instance, you can delete it.

Note: Before deleting the old instance, ensure that your new database has all necessary data and is successfully integrated into your application.

RDS, encryption, snapshot

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-02-02